Class: Lockbox::AES_GCM

Inherits:

Object

• Object
• Lockbox::AES_GCM

Defined in:

lib/lockbox/aes_gcm.rb

Instance Method Summary

• #decrypt(nonce, ciphertext, associated_data) ⇒ Object
• #encrypt(nonce, message, associated_data) ⇒ Object
• #initialize(key) ⇒ AES_GCM constructor

  A new instance of AES_GCM.

• #inspect ⇒ Object

  protect key.

• #nonce_bytes ⇒ Object

Constructor Details

#initialize(key) ⇒ AES_GCM

Returns a new instance of AES_GCM.

Raises:

• (ArgumentError)

# File 'lib/lockbox/aes_gcm.rb', line 3

def initialize(key)
  raise ArgumentError, "Key must be 32 bytes" unless key && key.bytesize == 32
  raise ArgumentError, "Key must be binary" unless key.encoding == Encoding::BINARY

  @key = key
end

Instance Method Details

#decrypt(nonce, ciphertext, associated_data) ⇒ Object

# File 'lib/lockbox/aes_gcm.rb', line 28

def decrypt(nonce, ciphertext, associated_data)
  auth_tag, ciphertext = extract_auth_tag(ciphertext.to_s)

  fail_decryption if nonce.to_s.bytesize != nonce_bytes
  fail_decryption if auth_tag.to_s.bytesize != auth_tag_bytes

  cipher = OpenSSL::Cipher.new("aes-256-gcm")
  # do not change order of operations
  cipher.decrypt
  cipher.key = @key
  cipher.iv = nonce
  cipher.auth_tag = auth_tag
  # From Ruby 2.5.3 OpenSSL::Cipher docs:
  # If no associated data shall be used, this method must still be called with a value of ""
  # When decrypting, set it only after calling #decrypt, #key=, #iv= and #auth_tag= first.
  cipher.auth_data = associated_data || ""

  begin
    message = String.new
    message << cipher.update(ciphertext) unless ciphertext.to_s.empty?
    message << cipher.final
    message
  rescue OpenSSL::Cipher::CipherError
    fail_decryption
  end
end

#encrypt(nonce, message, associated_data) ⇒ Object

# File 'lib/lockbox/aes_gcm.rb', line 10

def encrypt(nonce, message, associated_data)
  cipher = OpenSSL::Cipher.new("aes-256-gcm")
  # do not change order of operations
  cipher.encrypt
  cipher.key = @key
  cipher.iv = nonce
  # From Ruby 2.5.3 OpenSSL::Cipher docs:
  # If no associated data shall be used, this method must still be called with a value of ""
  # In encryption mode, it must be set after calling #encrypt and setting #key= and #iv=
  cipher.auth_data = associated_data || ""

  ciphertext = String.new
  ciphertext << cipher.update(message) unless message.empty?
  ciphertext << cipher.final
  ciphertext << cipher.auth_tag
  ciphertext
end

#inspect ⇒ Object

protect key

# File 'lib/lockbox/aes_gcm.rb', line 60

def inspect
  to_s
end

#nonce_bytes ⇒ Object

# File 'lib/lockbox/aes_gcm.rb', line 55

def nonce_bytes
  12
end